Vulnerabilities in Node.js and the c-ares library were disclosed on July 11 2017 by the Node.js Foundation. IBM SDK for Node.js has addressed the applicable CVEs.
CVEID: CVE-2017-11499 DESCRIPTION: Node.js is vulnerable to a denial of service, caused by a flaw related to constant HashTable seeds. A remote attacker could exploit this vulnerability to flood the hash and cause a denial of service.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/129465> for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2017-1000381**
DESCRIPTION:** c-ares could allow a remote attacker to obtain sensitive information, caused by an out-of-bounds read in the ares_parse_naptr_reply() function when parsing NAPTR responses. By sending specially crafted DNS response packet, an attacker could exploit this vulnerability to
CVSS Base Score: 6.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/128625> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L)
These vulnerabilities affect IBM SDK for Node.js v4.8.3 and earlier releases.
These vulnerabilities affect IBM SDK for Node.js v6.11.0.0 and earlier releases.
These vulnerabilities affect IBM SDK for Node.js v8.1.2.0 and earlier releases.
The fixes for these vulnerabilities are included in IBM SDK for Node.js v4.8.4.0 and subsequent releases.
The fixes for these vulnerabilities are included in IBM SDK for Node.js v6.11.1.0 and subsequent releases.
The fixes for these vulnerabilities are included in IBM SDK for Node.js v8.1.4.0 and subsequent releases.
IBM SDK for Node.js can be downloaded, subject to the terms of the developerWorks license, from here.
IBM customers requiring an update for an SDK shipped with an IBM product should contact IBM support, and/or refer to the appropriate product security bulletin.
CPE | Name | Operator | Version |
---|---|---|---|
ibm sdk for node.js | eq | 4.0 | |
ibm sdk for node.js | eq | 6.0 |